transient e ect ring oscillators leak too · 2019-03-15 · transient e ect ring oscillators leak...

Transient Effect Ring Oscillators Leak Too

Ugo Mureddu, Brice Colombier, Nathalie Bochard, Lilian Bossuet,Viktor Fischer

Univ Lyon, UJM-Saint-Etienne, CNRS, Laboratoire Hubert Curien UMR 5516,F-42023, SAINT-ETIENNE, France

{ugo.mureddu, b.colombier, nathalie.bochard,

lilian.bossuet, fischer}@univ-st-etienne.fr

Abstract. Up to now, the transient effect ring oscillator (TERO) seemedto be a better building block for PUFs than a standard ring oscillator,since it was thought to be immune to electromagnetic analysis. Here,we report for the first time that TERO PUFs are in fact vulnerable toelectromagnetic analysis too. First, we propose a spectral model of aTERO cell output, showing how to fit it to experimental data obtainedwith the help of a spectrum analyser to recover the number of oscilla-tions of a TERO cell. We then extend it to two TERO cells oscillatingsimultaneously, and show how this ability can be used to fully clone aTERO PUF. These results should help designers to better plan for sus-ceptibility of TERO PUFs to electromagnetic analysis in their futuredesigns.

Keywords: Transient effect ring oscillator, electromagnetic leaks, side-channel analysis, semi-invasive passive attack, physical unclonable func-tion

1 Introduction

With the sharp increase in the deployment and integration of the Inter-net of Things, one challenge is to ensure security with respect to pri-vacy and trust issues. With billions of connected devices, there is a hugerisk of unauthorised use or abuse. To protect from such risks, securitymechanisms are needed for per-device authentication and authorisation,integrated in early design stages.

On the other hand, the miniaturisation of electronic devices is causingindustrial problems since reducing the size of electronic components in-creases manufacturing process variability (MPV) leading, for example, toa mismatch between transistors. Although managing MPV is a challenge,silicon physical unclonable functions (PUF) are taking advantage of itsince they exploit MPV to extract a secret and unique identifier per die,

2 Authors Suppressed Due to Excessive Length

which is usually a binary string. This unique identifier enables identifica-tion, authentication and generation of a secret keys in many applications,including the Internet of Things [4].

For these reasons, PUFs have been a hot topic in the last decade. Sincethe first introduction of a PUF by Pappu in 2002 [15], many PUF prin-ciples have been published and implemented on both FPGA and ASIC.The best-known are memory-based PUFs including SRAM PUFs [17] anddelay PUFs such as arbiter PUFs [18] and ring oscillator (RO) PUFs [6].Regardless of the principle, an efficient PUF should provide an identifierper die that is unique, unpredictable, stable over time and insensitive toenvironmental conditions.

Among PUF principles, architectures that make use of oscillating el-ements were shown to be best suited for FPGA implementations [8,14].

However, it has been demonstrated that, once implemented in a phys-ical device, PUFs are, in fact, sensitive to side channel analysis [13]. Sidechannel analysis refers to any attack based on information gained froma physical implementation, rather than weaknesses in the mathematicalconcept itself. Among the most notorious side channels are timing in-formation, power consumption and electromagnetic leaks. In the case ofRO, electromagnetic analysis is very efficient. Indeed, many studies havedealt with electromagnetic analysis of RO, showing the ability to retrievethe oscillation frequency of the ROs used for PUF or TRNG applications[12,11,1]. At the same time, a PUF architecture based on a new oscillat-ing element emerged: the transient effect ring oscillator (TERO)-basedPUF. It is supposed to be insensitive to electromagnetic analysis since itdoes not exploit the oscillation frequency but the number of oscillationsinstead [2].

In this article, we show for the first time that TERO PUFs are sensi-tive to electromagnetic analysis. We first demonstrate that it is possible toretrieve the number of oscillations of one TERO cell using electromagneticanalysis. We then extend this analysis and show that we can also recoverthe number of oscillations of two TERO cells oscillating simultaneously.Finally, we describe a cloning attack on a complete TERO PUF.

The rest of this article is organised as follows. In Section 2, we recallall the necessary background information about TERO PUFs. In Sec-tion 3, we present a spectral model of the TERO output. In Section 4, weprovide experimental results of the EM analysis of one TERO cell, twoTERO cells oscillating simultaneously, and a complete TERO PUF. Fi-

Transient Effect Ring Oscillators Leak Too 3

nally, Section 5 concludes this article. All VHDL design files of the FPGAimplementations are available online1 for reproducibility.

2 The transient effect ring oscillator PUF

2.1 Transient Effect Ring Oscillator

A TERO, shown in Figure 1 is a multi-event oscillating ring with signalcollisions [5]. It has two states: one oscillating transient state and onenon-oscillating steady state. It is composed of two branches of an oddnumber of inverters (delay gates) and two AND gates as activation gates.A TERO corresponds to a specific configuration of an RS latch [16].

Fig. 1: A transient effect ring oscillator

When the control signal, denoted (ctrl in Figure 1), switches fromlogic level ’0’ to logic level ’1’, two electrical events start to propagateacross the ring. Due to mismatches caused by MPVs between the CMOStransistors composing the ring, one event is faster than the other. That isthe reason why, while the output oscillation frequency remains constant,the duty cycle drops to 0 % or rises to 100 % until the oscillations stop.Figure 2 shows an example of TERO output behaviour.

The oscillation frequency of the TERO is given in Equation (1) wheredAND is the mean delay of an AND gate and dINV the mean delay of aninverter.

fosc =1

(2× dAND + 2×N × dINV )(1)

A more complete description of the TERO by Cherkaoui et al. can befound in [3] and by Marchand et al. in [10].

1 https://gitlab.univ-st-etienne.fr/ugo.mureddu/

em-analysis-of-transient-effect-ring-oscillator-based-puf/tree/master

https://gitlab.univ-st-etienne.fr/ugo.mureddu/em-analysis-of-transient-effect-ring-oscillator-based-puf/tree/master



0

1 ctrl

0

1

out

Fig. 2: TERO output behaviour (out) after activation (ctrl)

2.2 TERO PUF architecture

The TERO PUF is composed of two blocks (A and B) of m TERO cells,two n-bit counters and a bit extractor, as depicted in Figure 3. To avoidcorrelation, a cell in block A is always compared to a cell of the block B.One cell per block is selected using two demultiplexers. Two multiplexersthen drive the correct cell output to the two n-bit counters. The cellselection signal (select cell in Figure 3) is usually called the challenge.

The TERO-PUF principle consists in comparing the number of os-cillations of two identically implemented cells. That is why the outputsof the counters are sent to a subtractor. With this structure, 1 to 3 bitscan be extracted per challenge. As explained in [9], the counters and theactivation time of the control signal must be sized according to the meannumber of oscillations of the TERO cells. For this study, each block iscomposed of m = 128 TERO cells with N = 7 inverters per branch.Counters are 11-bit wide (n = 11) and the activation time is set to 10 µs.Interested readers can refer to [3] for TERO cells design guidelines.

3 Spectral model of a TERO output

According to the description of the previous section, the TERO outputsignal is modeled to evaluate how the number of oscillations influencesthe spectrum amplitude. This signal is modeled as a case of pulse widthmodulation (PWM). This modulation technique controls the pulse dura-tion according to a modulator signal. In the case of a TERO, the outputduty-cycle increases or decreases exponentially. As a consequence, themodulator signal mod(t) is defined in Equation (2).

mod(t) = 1− e−t/τ (2)


subtractPUF output

n-bitcounter

n-bitcounter

select cellblock A

ctrl

select cellblock B

.

.

.

.

.

.

TERO cell A1

TERO cell Am

TERO cell B1

TERO cell Bm

Fig. 3: TERO PUF architecture

The PWM signal (PWM(t)) results from the comparison of a periodictriangular signal (tri(t)) and mod(t). Figure 4 shows the PWM signalgenerated when an exponential is used as a modulator signal. This be-haviour was modeled and the source code is provided on the dedicatedweb site2. The smaller the τ value, the smaller the number of oscillations.

Figures 5a and 5b show the influence of the number of oscillationsNosc on the spectrum amplitude for τ = 0.1 and τ = 2. The control signal(ctrl) is modeled as a square signal with a period of 4 s, the TERO outputsignal (out) is modeled with PWM(t) and the single-sided amplitudespectrum of the TERO output signal (|FFTout(f)|) is obtained with thefast Fourier transform of PWM(t). The triangle wave frequency is set to100 Hz so fosc = 100 Hz. For τ = 0.1, Nosc = 9. For τ = 2, Nosc = 183.

These simulations show the impact of the number of oscillations onthe spectral contribution. Namely, it highlights the fact that the spectrumof the TERO output is directly influenced by the number of oscillations.Indeed, the greater the number of oscillations, the narrower the peakat the oscillation frequency |FFTout(fosc)|. Therefore, by observing the

2 https://gitlab.univ-st-etienne.fr/ugo.mureddu/

em-analysis-of-transient-effect-ring-oscillator-based-puf/tree/master




modtri

0

1 PWM

Fig. 4: TERO output model with PWM

electromagnetic emanation of a TERO cell, one can recover the numberof oscillations of this cell. Since the number of oscillations is used directlyto generate the PUF response, then this response can be recovered. Thisis demonstrated experimentally in the next section.

4 Passive electromagnetic semi invasive attacks

4.1 Experimental setup

The TERO electromagnetic emissions are evaluated using the setup shownin Figure 6. This setup includes:

– An FPGA evaluation platform called HECTOR [7] comprisinga common motherboard for communication and multiple daughter-boards with different FPGAs,

– An EM probe RS H 2.5-2 by Rohde & Schwartz,– A low-noise amplifier (LNA) HZ-16 by Rohde & Schwartz con-

necting the probe to the spectrum analyser for measurement of high-frequency fields up to 3 GHz,

– A real-time spectrum analyser RSA607a by Tektronix,– A XYZ table with a precision of 1 µm where the FPGA platform is

fixed to move precisely under the probe,– A PC to program the FPGA, control the XYZ table and record data

from the spectrum analyser.

This study was performed on two FPGA families from two differentmanufacturers: Xilinx Spartan 6 and Intel Cyclone V to demonstratethat the results do not depend on the FPGA target. Before giving the


(a) τ = 0.1

(b) τ = 2

Fig. 5: TERO output FFTs for two different τ values

results of electromagnetic analysis, we detail the implementation of allthe evaluated designs.

4.2 Design implementations


PCXYZ table

Spectrum analyzer+ LNA

HECTOR FPGA daughter-board

EM probe

Fig. 6: Picture of the experimental setup

Design 1 - One TERO cell In this design, the FPGA is a Xilinx Spar-tan 6. It is configured with one N = 7 TERO cell. For the preliminarytest, the output of the TERO cell is sent out to the oscilloscope. TheTERO cell is periodically restarted by a 50 kHz control signal. Figure 7ashows the design architecture. Figure 7b shows the Xilinx ISE floor planafter implementation where each element of the TERO and their connec-tions are visible. The output of the TERO goes through a buffer beforebeing sent out of the FPGA.

TERO cellctrl outFPGA

(a) Architecture

NAND1INV1_1INV1_2INV1_3

INV1_4INV1_5INV1_6BUF


INV2_4INV2_5INV2_6

ctrl

out

(b) Xilinx ISE floor plan

Fig. 7: Implementation of Design 1 - One TERO cell

Design 2 - One TERO cell Like in Section 4.2, only one TERO cell isimplemented but the output of the cell is not sent out of the FPGA. Thisdesign was implemented on both Xilinx Spartan 6 and Intel Cyclone VFPGAs. Figure 8a shows the design architecture. Figure 8b and Figure 8cshow screenshots of the Xilinx ISE and the Intel Quartus floor plans.


TERO cellctrlFPGA

(a) Architecture


INV1_4INV1_5INV1_6BUF


INV2_4INV2_5INV2_6

ctrl

(b) Xilinx ISE floor plan

(c) Intel Quartus floor plan

Fig. 8: Implementation of Design 2 - One TERO cell

Design 3 - Two TERO cells In the third design, two TERO cellsare identically implemented and activated by the same control signal.Figure 9a shows the design architecture. Figure 9b and Figure 9c showscreenshots of the Xilinx ISE and the Intel Quartus floor plans. The floorplans reflect the fact that the placement of the cells are identical in bothcases. This is a requirement of the PUF design to ensure that the onlydifferences in the cells to be compared are in the MPVs.

Design 4 - TERO PUF The last design is a complete TERO PUFas described in Section 2.2, implemented on a Xilinx Spartan 6 FPGA.Figure 10a shows the design architecture. The control signal and a selec-tion word for each block are sent to the FPGA. The PUF response andthe outputs of the TERO cells are not sent out of the FPGA. Figure 10bshows a screen-shot of the Xilinx ISE floor plan after the PUF implemen-tation where the two blocks of m = 128 TERO cells are clearly visible.Like for Section 4.2, TERO cells are identically implemented to extractMPVs.


ctrl

FPGA

TERO cell

TERO cell

(a) Architecture(b) Xilinx ISE floor plan

(c) Intel Quartus floor plan

Fig. 9: Implementation of Design 3 - Two TERO cells

(a) Architecture(b) Xilinx ISE floor plan

Fig. 10: Implementation of Design 4 - TERO PUF

4.3 Electromagnetic analysis

Design 1 - One TERO cell As explained in Section 4.2, only one N = 7TERO cell is implemented on a Xilinx Spartan 6 FPGA with a periodiccontrol signal to automatically restart the TERO cell. A mean oscillationfrequency of 174.4 MHz and a mean number of oscillations of 228 arerecorded with the oscilloscope. Figure 11 shows the TERO oscillationsobserved from the oscilloscope.


Fig. 11: TERO cell input and output observed on an oscilloscope

Since the oscillation frequency of the TERO is known, the spectrumanalyser is centered at this frequency with a span of 7 MHz. By prob-ing the FPGA, it is possible to capture the electromagnetic emissions ofthe running TERO cell. Figure 12 shows the results from the spectrumanalyser.

Fig. 12: Spectrogram of one TERO cell EM emanation

The spectrogram gives the emission amplitude (red represents highamplitude and blue low amplitude) per frequency over time. In Fig-ure 12, the oscillation frequency of the TERO can be seen clearly at174.4 MHz. It is also possible to retrieve for how long it oscillates. Inthis case, it oscillates for 1.28 µs. With the oscillation frequency andthe duration of oscillation, the number of oscillations can be computed:Nosc = 1.28 × 10−6 × 174.4 × 106 = 223. It is worth noting that thereis a slight difference between the number of oscillations computed withthe electromagnetic emission and the one measured with the oscilloscope.This is because the oscilloscope records a mean of all the TERO runswhereas the spectrum analyser records only one run in real time. Oncethe oscillation frequency of the TERO is identified, another representationof the electromagnetic emissions provided by the spectrum analyser canbe used: amplitude versus time (see Figure 13). This allows for an easymeasurement of the duration of oscillation. Figure 13 shows that spec-


trum amplitude increases with time, i.e. with the number of oscillations.This confirms that a passive attacker can recover the number of oscilla-tions of one TERO cell, in accordance with the simulations described inSection 3.

Fig. 13: Amplitude vs time of one TERO cell EM emanation at 174.4 MHz

Design 2 - One TERO cell Following the approach detailed in [1], weperformed a mapping of the electromagnetic emanation of the FPGA at174.4 MHz without outputting the TERO output signal. Unfortunately,this does not lead to a successful identification of any electromagneticemission. Indeed, the TERO emission is not powerful enough to emergefrom the ambient electromagnetic noise. In the first experiment, this sim-ple approach was successful because sending the signal to an output ofthe FPGA increased the emission amplitude. The analysis of a TERO cellimplemented on an Intel Cyclone V FPGA lead to similar results.

In contrast with RO electromagnetic analysis, since the TERO onlyoscillates for a limited period of time, it does not radiate sufficiently tobe captured by the spectrum analyser without sending its signal on anoutput of the FPGA. To analyse the TERO output signal without sendingit out of the FPGA, decapsulation is required.

For this reason, in the following experiments, we decapsulated theFPGAs before electromagnetic analysis. The decapsulation protocol is thesame as described in [19]. Figure 14 shows the two decapsulated FPGAs.

After decapsulation, we performed a mapping of both FPGAs to de-tect the electromagnetic emission of the TERO cells. For the TERO cell


(a) Intel Cyclone V (b) Xilinx Spartan 6

Fig. 14: Decapsulated FPGAs

implemented on Xilinx Spartan 6, the result is similar to that of exper-iment 1: the number of oscillations is close to 225. For the TERO cellimplemented on Intel Cyclone V, we identified an oscillation frequency of198 MHz and a number of oscillations of 462.

Design 3 - Two TERO cells For this experiment, two N = 7 TEROcells are implemented in the decapsulated Xilinx Spartan 6 FPGA. TheTERO outputs are not sent out of the FPGA and the two TEROs aretriggered simultaneously by the same control signal. Figure 15 shows thespectrogram resulting from this experiment. The electromagnetic emis-sion captured by the spectrum analyser can be divided into two parts. Inthe first part, both TERO cells are running. In the second part, only oneTERO cell is still running. The first part lasts for 1.28 µs during whichthe TERO from Section 4.3 can be identified. The loss of amplitude after1.28 µs makes it possible to identify that one TERO cell stops oscillating.It is also important to note that during the first part, the electromagneticemission span is larger. Indeed, the two TEROs do not oscillate at theexact same frequency. This is a second hint that one TERO cell stoppedoscillating. From this experiment, the two TERO cells and their number ofoscillations can be identified undoubtedly. The first TERO cell oscillates223 times at 174.4 MHz. The second TERO cell oscillated at 174.6 MHzfor 5.11 µs. Thus, the number of oscillations of the second TERO cell is892.

This experiment shows that even when two TERO cells are startedsimultaneously, their respective number of oscillations can be recoveredsuccessfully.


Span: MHzFrequency (Hz)

Low

High

Tim

e (s

)MHz

MHz

Fig. 15: Spectrogram of the EM emanation of two TERO cells

Design 4 - TERO PUF Since we demonstrated that it is possible to re-trieve the number of oscillations of two TERO cells oscillating at the sametime, the experiment was done on the PUF described in Section 4.2. Itshould be recalled that TERO cells composing the PUF are implementedidentically with N = 7 delay elements. Implementation details are avail-able in [9]. For this reason, all TERO cells oscillate at around 174 MHz.Thus, the spectrum analyser is centered at 174 MHz with a span of 7 MHzto make sure that we capture the spectrum of all the TERO cells whenthey oscillate.

As mentioned in 2.2, the activation time of the TERO cells for eachcomparison is 10 µs. Figure 16 shows the spectrogram of four successivecomparisons of TERO cells from block A with TERO cells from blockB. Dividing Figure 16 vertically in blocks of 10 µs allows to isolate eachcomparison. For this experiment, successive comparisons are as follows:TERO cell Ai is compared with TERO cell Bi, TERO cell Ai+1 is com-pared with Bi+1 and so on. This proves that the spectrum analyser cancatch successive TERO runs.

For obvious security reasons, the result of the comparison of the twoTERO cells is not sent out of the FPGA directly. However, assuming thatusers have access to the PUF challenge, only a small number of compar-isons combined with electromagnetic analysis are sufficient to clone thePUF.

First, the comparisons of the (A1, B1) and (A1, B2) pairs allow to re-trieve the number of oscillations of A1 by finding the common pattern inboth comparisons. Second, the comparisons of the (A1, Bi) pairs are per-


Frequency (Hz)Low

HighT

ime

(s)

10ns

10ns

10ns

10ns

Fig. 16: Spectrogram of the EM emanation of a TERO PUF

formed for i ranging from 3 to m. This reveals the number of oscillationsof all the TERO cells in block B. Third, the comparisons of the (Ai, B1)pairs are performed for i ranging from 2 to m. This reveals the numberof oscillations of all the TERO cells in block A. Eventually, 2 × m − 1comparisons are sufficient to retrieve the number of oscillations of all thecells and clone the PUF.

5 Conclusion

In this article, we presented and discussed electromagnetic analysis ofTERO PUFs. We show for the first time that TERO cells leak and thatconsequently, their number of oscillations can be retrieved without ac-cessing their outputs. This gives the ability to fully clone a TERO PUF.By performing the study on two FPGAs made by two different manu-facturers, we also demonstrated that electromagnetic analysis is efficientwhatever the device used. It is important to note that outputting theTERO signal on an FPGA output increases the electromagnetic emis-sion. What is more, it is free access to the challenges of the PUF thatmakes it possible to clone it. The results presented here, together withthe freely available VHDL codes, will help designers to better foresee andprevent TERO leakages in their future designs.


Acknowledgements

This work was carried out in the framework of the FUIAAP22-ProjectPILAS supported by Bpifrance.

References

1. P. Bayon, L. Bossuet, A. Aubert, and V. Fischer. Electromagnetic analysis on ringoscillator-based true random number generators. In International Symposium onCircuits and Systems, pages 1954–1957, 2013.

2. Lilian Bossuet, Xuan Thuy Ngo, Zouha Cherif, and Viktor Fischer. A PUF basedon a transient effect ring oscillator and insensitive to locking phenomenon. IEEETransactions on Emerging Topics in Computing, 2(1):30–36, 2014.

3. A. Cherkaoui, L. Bossuet, and C. Marchand. Design, evaluation, and optimizationof physical unclonable functions based on transient effect ring oscillators. IEEETransactions on Information Forensics and Security, 11(6):1291–1305, June 2016.

4. Abdelkarim Cherkaoui, Lilian Bossuet, Ludwig Seitz, Goran Selander, and R. Bor-gaonkar. New paradigms for access control in constrained environments. In Inter-national Symposium on Reconfigurable and Communication-Centric Systems-on-Chip, pages 1–4, Montpellier, France, May 26-28 2014.

5. Viktor Fischer, Patrick Haddad, and Abdelkarim Cherkaoui. Ring oscillators andself-timed rings in true random number generators. In Yoshifumi Nishio, editor,Oscillator Circuits: Frontiers in Design, Analysis and Applications, pages 267–292.IET, 2016.

6. Blaise Gassend, Dwaine Clarke, Marten van Dijk, and Srinivas Devadas. Siliconphysical random functions. In Conference on Computer and Communications Se-curity, CCS ’02, pages 148–160, New York, NY, USA, 2002. ACM.

7. M. Laban, M. Drutarovsky, V. Fischer, and M. Varchola. Modular evaluation plat-form for evaluation and testing of physically unclonable functions. In InternationalConference Radioelektronika, pages 1–6, April 2018.

8. Abhranil Maiti, Jeff Casarona, Luke McHale, and Patrick Schaumont. A large scalecharacterization of RO-PUF. In International Symposium on Hardware-OrientedSecurity and Trust, pages 94–99, Anaheim Convention Center, California, USA,13-14 June 2010. IEEE.

9. C. Marchand, L. Bossuet, and A. Cherkaoui. Design and characterization of theTERO-PUF on SRAM FPGAs. In Annual Symposium on VLSI, pages 134–139.IEEE Computer Society, July 2016.

10. C. Marchand, L. Bossuet, U. Mureddu, N. Bochard, A. Cherkaoui, and V. Fischer.Implementation and characterization of a physical unclonable function for IoT: Acase study with the TERO-PUF. IEEE Transactions on Computer-Aided Designof Integrated Circuits and Systems, 37(1):97–109, Jan 2018.

11. D. Merli, J. Heyszl, B. Heinz, D. Schuster, F. Stumpf, and G. Sigl. Localizedelectromagnetic analysis of RO PUFs. In International Symposium on Hardware-Oriented Security and Trust, pages 19–24. IEEE, June 2013.

12. Dominik Merli, Dieter Schuster, Frederic Stumpf, and Georg Sigl. Semi-invasiveEM attack on FPGA RO PUFs and countermeasures. In Workshop on EmbeddedSystems Security, WESS ’11, pages 2:1–2:9, New York, NY, USA, 2011. ACM.


13. Dominik Merli, Dieter Schuster, Frederic Stumpf, and Georg Sigl. Side-channelanalysis of PUFs and fuzzy extractors. In JonathanM. McCune, Boris Balacheff,Adrian Perrig, Ahmad-Reza Sadeghi, Angela Sasse, and Yolanta Beres, editors,Trust and Trustworthy Computing, volume 6740 of Lecture Notes in ComputerScience, pages 33–47. Springer Berlin Heidelberg, 2011.

14. Sergey Morozov, Abhranil Maiti, and Patrick Schaumont. An analysis of delaybased PUF implementations on FPGA. In Phaophak Sirisuk, Fearghal Morgan,Tarek El-Ghazawi, and Hideharu Amano, editors, Reconfigurable Computing: Ar-chitectures, Tools and Applications: 6th International Symposium, ARC, pages382–387, Bangkok, Thailand, March 2010. Springer Berlin Heidelberg.

15. Ravikanth Pappu, Ben Recht, Jason Taylor, and Neil Gershenfeld. Physical one-way functions. Science, 297(5589):2026–2030, 2002.

16. L. M. Reyneri, D. Del Corso, and B. Sacco. Oscillatory metastability in ho-mogeneous and inhomogeneous flip-flops. IEEE Journal of Solid-State Circuits,25(1):254–264, Feb 1990.

17. Ying Su, J. Holleman, and B.P. Otis. A digital 1.6 pJ/bit chip identification circuitusing process variations. IEEE Journal of Solid-State Circuits, 43(1):69–77, Jan2008.

18. G. Edward Suh and Srinivas Devadas. Physical unclonable functions for deviceauthentication and secret key generation. In Design Automation Conference, pages9–14, San Diego, CA, USA, June 4-8 2007.

19. Christian Wittke, Zoya Dyka, Oliver Skibitzki, and Peter Langendoerfer. Prepa-ration of SCA attacks: Successfully decapsulating BGA packages. In Ion Bica andReza Reyhanitabar, editors, Innovative Security Solutions for Information Tech-nology and Communications, pages 240–247. Springer International Publishing,2016.

transient e ect ring oscillators leak too · 2019-03-15 · transient e ect ring oscillators leak...

Documents